sign in sign up
<<
Home , End user

Exploring End- Security Awareness within a South African context

Jacques Ophoff∗ and Mark Robinson† Centre for Information Technology and National Development in Africa (CITANDA) Dept. of Information Systems University of Cape Town Cape Town, South Africa Email: ∗[email protected][email protected]

Abstract—International research has shown that users are Traditionally less attention is paid to human factors com- complacent when it comes to smartphone security behaviour. pared to technical security controls (such as firewalls and This is contradictory, as users perceive data stored on the antivirus), but there is a crucial need to analyse human aspects ‘smart’ devices to be private and worth protecting. Traditionally less attention is paid to human factors compared to technical as technology alone cannot deliver complete security solutions security controls (such as firewalls and antivirus), but there is a [6]. Understanding users is necessary to bridge the perceived crucial need to analyse human aspects as technology alone cannot disconnect between security managers and users in creating deliver complete security solutions. Increasing a user’s knowledge more effective and workable security measures; as well as can improve compliance with good security practices, but for sustaining good security practice by ensuring cooperation and trainers and educators to create meaningful security awareness materials they must have a thorough understanding of users’ engagement [6]–[8]. existing behaviours, misconceptions and general attitude towards Increasing a users knowledge can improve compliance with smartphone security. good security practices [9]. However, for trainers and educa- The primary purpose of this research was to assess the tors to create meaningful security awareness materials they level of smartphone security awareness displayed by the public, must have a thorough understanding of users’ existing be- determining whether a general level of security complacency exists amongst smartphone users. The study was undertaken in haviours, misconceptions and general attitude towards smart- a South African context (a multi-cultural developing nation) and phone security [10]. The main objective of this research is to included demographics as a variable in assessing any differences explore the level of smartphone security awareness in South in smartphone security awareness between population groups. A Africa through analysing security perceptions (knowledge) and modified version of the instrument developed by [1] was used. related behaviours. A survey of 619 South African users examined trust of smartphone application repositories, users’ considerations when The paper proceeds as follows: first a literature review of installing new applications and their use of protection mech- security, specifically related to is presented. Next anisms (security controls). The sample proved complacent in the chosen research methodology is discussed. Thereafter the their smartphone security behaviours with users displaying high collected data is analysed and findings are presented. The levels of trust towards smartphone application repositories, rarely paper concludes with recommendations for future research. considering privacy and security considerations when installing new applications and also not adequately protecting themselves II.LITERATURE REVIEW through adopting smartphone protection mechanisms (controls). The research did not find any conclusive associations to suggest can be defined as “the protection that a user’s home language impacts their information security of information and information systems from unauthorised behaviour or trust. However, an association between IT expertise access, use, disclosure, disruption, modification, or destruction and the adoption of smartphone security controls was found. Index Terms—Smartphone, Awareness and Training in Secu- in order to provide confidentiality, integrity, and availability” rity, Mobile Computing Security. [11]. Information security and privacy is a key concern for modern enterprise with the Society for Information Manage- I.INTRODUCTION ment (SIM) survey consistently ranking security and privacy International research has shown that users, and univer- in the top ten concerns facing US IT managers and top twenty sity students in particular, are complacent when it comes to concerns globally [12]. Information security and privacy is not security behaviour in using smartphones [1]–[3]. This is a only a concern for organisations but should be mirrored by contradictory phenomenon as users perceive data stored on individual end-users who also perceive their information to be the ‘smart’ devices to be private and worth protecting [4], [5]. private and worth protecting [4], [5]. Smartphone adoption is ever-increasing with sales forecasts End-users are increasingly reliant on mobile devices and it showing that the number of smartphones shipped now exceeds is expected that the stated growth in smartphone adoption will that of basic and feature phones. These devices are prone result in mobile internet usage exceeding that of traditional to theft, loss and damage and resultantly pose a significant desktop computers by the year 2015; with the stated change information security risk to individuals and organisations alike. in device adoption, consumers are increasingly using mobile

978-1-4799-3383-9/14/$31.00 ©2014 IEEE devices for sensitive tasks such as email, banking and purchas- of general-purpose applications termed apps [20]. Applica- ing goods and services [5]. This is evidenced by the gradual tions range from familiar web browsing, email and calendaring conversion from E-Commerce to M-Commerce [13]. applications to interactive 3D applications, social networking Information security research and practice has traditionally and mapping tools [5]. Smartphones do not run uniform focused on mostly external facing technical solutions (such operating systems or hardware platforms; as a result each as firewalls and antivirus) to secure information assets and available operating system or variant thereof, has its own has paid little attention to behavioural information security unique attributes and employs different approaches. Currently but this is no longer effective [6]. Security controls also have there is a global convergence in the market towards two to be designed with human behaviour in mind [8]. Information operating systems: Google’s Android and Apple’s iOS. security should be a holistic approach involving technical, Smartphones face several of the same threats as traditional behavioural, philosophical and organisational approaches [14]. computers but are different in that they are prone to physical That said, this paper is primarily focused on the behavioural loss and theft, physical damage and are often improperly aspects of information security. disposal of which results in these devices being of consid- erable risk [21]. [22] identified several threats which are not A. Security-related Theories dissimilar to those of traditional computers: malware, attacks Behavioural information security focuses on human be- on individuals, hacking and denial of service [3]. The term haviour through awareness and education and aims to protect attacks on individuals is vague, and is likely to include several information systems from a human perspective. Information threats such as eavesdropping, unwarranted surveillance and security awareness is defined as an end-users general knowl- tracking, identity theft, social-engineering, and the edge about information security and their ramifications [8]. increasing direct billing fraud [23]. Researchers have used or adapted several theories in assessing users’ behaviour and security awareness – the most frequently C. App Repositories as an Attack Vector used theories include: A salient difference between traditional shrink-wrapped • The theory of reasoned action (TRA), or the extended the- software and smartphone applications is the manner in which ory of planned behaviour (TPB), posits that intentions are applications are disseminated. Smartphones increasingly make rational antecedents of any actions or behaviour [15]. [16] use of centralised distribution architectures termed app repos- applied the framework to information security, suggesting itories or marketplaces – which may be operated by platform that an employees intentions are positively influenced vendors or third parties [1]. Smartphone vendors have taken by normative beliefs and self-efficacy to comply with different approaches to the installation of third-party applica- security policies. tions which can be placed on a continuum depending on the • General deterrence theory (GDT) focuses on rational amount of control retained by the vendor [24]: decision making to misuse information systems based on • The walled garden model is characterised by the vendor knowledge of sanctions or punishment [17]. retaining full control as users can only install applica- • Protection motivation theory (PMT) posits that dealing tions distributed through the vendors official application with threats is a result of predicting protective behaviours. repository. These applications are vetted and monitored Research into employees has shown that attitudes are and can be removed, remotely uninstalled or disabled by shaped by evaluating the threat and coping appraisal [16]. the vendor at will. This is the strongest approach in terms • The technology acceptance model (TAM) introduced by of security as most security decisions are retained by the [18] has been applied in an information systems context vendor. to suggest that the intention to safeguard information • The guardian model is similar to the walled garden but assets is influenced by both perceived usefulness and security decisions are left to a trusted third party. perceived ease-of-use [19]. • Unlike the walled garden the end-user control model When combined these theories tend to suggest that security leaves the user responsible for security decisions and awareness (knowledge) influences users attitude to information users are able to install software from any source; con- security and their behaviour. This is supported by research by sequently this is a far more flexible approach but is also [16]. Further research has shown that the perception of infor- weaker as all control and vetting by the vendor are lost. mation security may be likened to a type of risk perception D. Smartphone Security Controls and that there is a positive correlation between this perception (through knowledge) and both the adoption of IT appliances Approaches and controls are not dissimilar from traditional and the following of security practices [9]. PCs but smartphone platforms are not as mature and as such often limit users ability to secure their devices and information B. Smartphone Risks and Threats properly [26]. Fragmentation in smartphone user interfaces re- Smartphones are mobile phones which have advanced be- sult in various menus and settings for configuring smartphone yond ubiquitous telephony functionality; increasingly mirror- security controls which decreases the ease in which security ing functionality found on computers as a result of having controls can be deployed [27]. Security controls include but modern mobile operating systems which support a wide range are not limited to: authentication – and personal TABLE I RELATED RESEARCH ON SMARTPHONE SECURITY AWARENESS

Authors Sample Demographic Findings Chin, Felt, Sekar, and Wagner (2012) [2] USA Users are less likely to perform sensitive tasks on mobile devices as there is a lack of edification and misconceptions about security of applications exist. Jones and Heinrichs (2012) [3] USA College students do not practice good smartphone security; partaking in high- risk activities while not making use of security controls. This study confirmed previous research. Kelley, Cranor, and Sadeh (2013) [25] USA Android respondents view and read permissions screens but have limited understanding of the messages. Sample was unaware of security risks associated with mobile apps and market places. Mylonas, Kastania, and Gritzalis (2013) [1] Greece General security complacency exists, with smartphone users: trusting appli- cation repositories, not fully using security controls and disregarding security during application selection and installation. identification number (PIN), firewalls, remote management, 1) Do smartphone users trust applications from the official and and antivirus software [21]. app repository? , which are more complex in nature, allow for 2) Do users consider security while choosing and down- better protection than PINs; however their use is curtailed by loading applications? users preferring the convenience of not entering passwords 3) Do smartphone users enable security controls on their each time they wish to use their device [21]. Antivirus software devices? is available for most smartphone platforms with numerous 4) Does home language or culture influence user security vendors supporting products; however the efficacy of the awareness? solutions is questionable [4]. B. Research Instrument E. Related Research A modified online instrument based on the questionnaire Previous research has shown that users, and university by [1] was used. Modifications consisted mainly of additional students in particular, are complacent when it comes to their control questions, additional response options and rewording security behaviour. A summary on related studies is shown in of questions for improved understanding. The final research Table I. instrument consisted of 35 questions. The research instrument Historically there is a lack of academic research to assess questions were intended to answer one, or several, of the general security awareness in developing countries where research questions, as mapped in Table II. socio-cultural environments, constrained resources and limited A pilot study was undertaken to ensure that there were no knowledge present higher barriers to the promotion of security technical problems with the online survey platform, instruc- awareness [28]. In addition, [1] and [3] are limited as the tions and questions were clear and unambiguous, and to gauge research does not compare security awareness across different the questions’ validity and reliability. demographics and user sub-groups. The next section discusses C. Target Population and Sampling the research methodology employed in the current study. The target population for the study was smartphone users III. RESEARCH METHODOLOGY whose devices were not controlled and protected by organi- sational IT policies using tools such as mobile device man- The intention of this research is to provide an exploratory agement (MDM) or mobile application management (MAM). and descriptive examination of users’ smartphone security Security controls imposed on users by IT managers potentially awareness. A survey strategy was used, with a positivist impacts their ability to install applications at will, and the pro- approach to guide the quantitative analysis. An inductive ap- posed research intends to assess user perception of applications proach formed the basis of the research by providing answers and official application repositories. to the exploratory research questions within a South African Non-probability, self-selection sampling was used as it was context. difficult to ascertain potential respondents’ characteristics, beliefs or practices when it comes to security awareness. A link A. Research Questions to the online research instrument was distributed electronically The primary purpose of this research is to assess the level to various segments of the population using social media of smartphone security awareness displayed by users in a platforms and a mailing list at a large university. South African context (a multi-cultural developing nation). It The next section presents the data analysis and findings of includes demographics as a variable in assessing any differ- the primary data collected from the research instrument. ences in smartphone security awareness between population groups. The potential relationship between home language and IV. DATA ANALYSIS AND FINDINGS smartphone security awareness is also explored. This leads to A total of 856 recorded questionnaire responses were re- the following research questions: ceived. Of the 856 recorded responses, 100 (11.7%) were TABLE II RESEARCH QUESTION TO INSTRUMENT MAPPING Information Technology, Telecommunications, and Software and Computer Services industries. There was a definite asso- Research Question Instrument Questions ciation between having an information security qualification 1) Do smartphone users trust applications 15, 16, 17, 18, 34, 35 and perceived IT expertise, as expected. from the official app repository? 2) Do users consider security while choos- 16, 19, 20, 22, 23, 24 The breakdown of top mobile platforms used by respondents ing and downloading applications? is shown in Table III. The dominant platform is Google’s 3) Do smartphone users enable security con- 25, 26, 27, 28, 29 Android (46.7%) with even more adoption than in [1]. For trols on their devices? 4) Does home language or culture influence 7, 8 comparison South African industry statistics from 2012 is also user security awareness? shown [29].

B. Trust in App Repositories rejected during the analysis, as the respondents failed to fully As expected the majority of respondents who use iOS complete the questionnaire. Of the remaining 756 complete (88.6%) trust the official Apple app store as Apple has taken responses, 12 respondents stated that they do not reside in a walled-garden approach where they retain full control over South Africa and their responses were rejected as the research the installation [24]. What is of concern is that the majority of is intended to assess smartphone security awareness domesti- Symbian users (88.89%) trust the official Symbian repository, cally. Of the remaining 744 participants a respondent indicated as Nokia has chosen an application installation approach that that he/she was less than 18 years old and for ethical reasons lies between the guardian and end-user control. the respondent was not allowed to continue with the research Among the sample respondents woman were more trusting questionnaire. Furthermore 81 respondents indicated that they than men (85% vs. 77%) concerning the official application did not own smartphones and of the smartphone owners 43 repositories of their chosen platforms. In addition, users who indicated that their devices were managed by a third party. shared their phones with others were more likely to trust All of these responses were rejected. After the aforementioned application repositories (87.33% who share vs. 73.98% who data cleaning, the remaining 619 responses will hereafter be don’t). referred to as ‘the sample’ for analysis. Although high levels of trust were displayed towards ap- A. Demographic Profile plication repositories, 64% of respondents were unaware as to whether applications available in the official repository The majority of respondents were between the age of 18–25 have undergone any form of security testing. Only a small (64.9%), with a further minority (12.9%) being between 26– minority (25.7%) stated that they believed applications had 30. The sample predominantly consisted of students (62.8%) undergone some form of testing. This finding reinforces the and working adults (36.67%), with the remainder stating that fact that respondents blindly trust application repositoriesand neither was applicable to them. The recorded responses were are similar to [1], who found 54.6% of respondents were un- almost equal among males (53.8%) and females (46.2%). aware. As expected, respondents who believed that application The majority of respondents stated their native language as repositories do test applications were more likely to exhibit English (66.88%). While the majority of respondents were trust towards official application repositories. white (51%) all other race groups (in a South African context) Smartphone vendors have taken different approaches to were represented in the sample, as illustrated in Figure 1. security and the installation of third-party applications. Not As illustrated in Figure 2 most respondents had a self- perception that their level of IT expertise was above average, with the majority of respondents classifying their IT exper-     tise as Good (38.4%), followed by Moderate (30.69%) and    Excellent (17.93%).   Only a small minority of respondents had completed an     information security course (7.4%), most of whom work in the       

                  Fig. 2. Respondents’ Self-Perceived IT Expertise        TABLE III     RESPONDENTS’ BY MOBILE PLATFORM     Platform Current Research RSA 2012 [29] GRC 2013 [1]      Android 46.7% 8% 38.4%    Blackberry 26.2% 48% 9.2% iOS 18.4% <4% 23.8% Fig. 1. Respondents’ Ethnicity Symbian 4.4% 40% 16.6% all applications repositories test and vet applications before     allowing distribution to users and as such it is useful to    assess differences between platform user groups. A signifi-      cant number of respondents from each platform incorrectly      stated that applications available on the official application     repositories are not tested: Android 13.49%; iOS 6.14%; Fig. 3. Respondents’ Use of Security Software in Various Devices Blackberry 8.64%; Windows Phone: 10.53%. Interestingly, of those who (incorrectly) stated that applications available on the official application repositories are not tested, 53.13% Not surprisingly 80.3% of all respondents (74.8% of stu- trusted application repositories as secure. Additionally, it is dents) stated that they do not prefer pirated applications to of concern that a majority of users who perceived their IT the purchasing of authentic applications. Respondents who expertise as Excellent were the same users who incorrectly use the Android platform showed the highest propensity to stated that application repositories do not test applications. prefer pirated applications, whereas iOS users displayed the least – this could be because of the difficulty in installing C. Security in Application Selection and Installation pirated applications on iOS devices where devices need to be jail-broken to circumvent the control over the installation It was found that 99.03% of participants install additional of applications imposed by Apple. South African respondents third-party applications on their smartphones (an illustrative were far less likely to prefer pirated applications than in example of the popular WhatsApp application was given in the [1]. Younger respondents were more likely to favour pirated questionnaire). Data utilised in this sub-section was a subset applications than older respondents. of the filtered dataset – only including those that expressly A small, yet significant 9.5% of respondents (8.5% of state that they install third-party applications. The most cited students) admitted to jail-breaking their devices. Respondents consideration for installing new third-party applications was who have actively jail-broken their devices were more likely to perceived usefulness (47%), followed by price (9%), ratings prefer pirated applications but this was to be expected as jail- and reviews (9%), popularity (9%), and perceived ease of use breaking circumvents certain application installation security (8%). model controls to allow users to install pirated applications. The majority (76.3%) of respondents were aware of the existence of smartphone malicious software. Understandably D. Security Controls Used users who perceive their IT expertise to be better, or those As Figure 3 illustrates, few users use smartphone with information security training, were more knowledgeable security software (27.03%), compared to a traditional about the existence of malicious smartphone software. It was PC//Netbook (96.85%). Of the respondents, 61.4% in- also found that men were more likely to be aware of malicious dicated that they were aware of the existence of smartphone software than women (84.68% vs. 66.43%). security software and 50.52% stated that they have searched an Only 6.95% of respondents claimed to consider privacy and application repository for free smartphone security software. security ramifications before installing new applications. The Strangely, of the respondents who were aware of smartphone majority of respondents (51%) stated that they only sometimes security software and believed it to be essential (55.53%) only pay attention to security messages during the installation of a 42.11% used smartphone security software. new application; only 10% stated that they never pay any form Users of Apple’s iOS were the least likely to have adopted of attention to security messages. There was no significant security software, which is likely a result of limited availabil- difference between life stages. Symbian users (48%) were ity of such software given Apple’s garden-wall approach to most likely to always pay attention to security messages application installations. Android users were the most likely during installation, followed by 41.32% of Android users. to have adopted security software. [1] suggests this could be Blackberry users were the least likely to pay attention to because of perceived resource (battery) usage, however very security messages. few respondents indicated that ‘resource intensity’ was a con- Respondents seemed to be more concerned with secu- sideration when installing applications. Respondents who were rity messages than licensing messages (agreements) with an aware of smartphone security software were more inclined alarming total of 37.6% of respondents never paying any to consider smartphone security software as being essential. attention to licensing messages – a mere 18.7% always pay In addition such users were also more inclined to search attention to licensing messages. 41.1% of students never pay application repositories for free smartphone security software. any attention to licensing messages. Windows Phone users A large proportion of respondents (72.24%) have adopted were the most likely to pay attention to licensing messages the most basic smartphone protection mechanism (SIM PIN). (27.78%) followed by Android (20.14%) and Blackberry users However, this may be historically enabled on old SIM cards (18.63%). iOS users were the most ignorant when it comes – SIM PINs are part of GSM specifications and not new to to paying attention to licensing messages. Those that paid smartphones. The second most popular security control was attention to licensing messages were more inclined to pay device password/pattern lock (with or without data wipe), attention to security messages as well. which when combined was adopted by 59.07% of participants.    

  

  ! "  #"  $ ! "# % "

&'()  " " % *+,  "- #

 # % "#

Fig. 4. Respondents’ Use of Smartphone Protection Mechanisms

Device location service was adopted by 37.19% of partici- G. Summary of Findings pants. The responses to all protection mechanisms are shown Users place significant amounts of trust on application in Figure 4. repositories which can leave them vulnerable. Most users Concerning all controls men were significantly more in- (80.45%) trust official application repositories as they believe clined to adopt security controls than woman, which may be they are secure. This trust may be founded on a perception that related to the fact that woman are more trusting of application the applications available on official application repositories repositories. have been tested. Respondents who perceive their IT expertise Of the respondents 35.38% have had their phone stolen. In to be better or those who have completed information security addition, 30.05% have their phone insured against loss, theft, courses have more deterministic views on application testing or damage. Thus a general awareness of risk should be present which affects levels of trust. amongst users. Users pay very little attention to privacy and security when installing applications on their device. The majority E. The Influence of Language and Culture of respondents (76.3%) claimed to be aware of malicious No significant security relationships were found when con- smartphone software (especially men with higher perceived sidering home language and culture. This is surprising, as levels of IT expertise or information security training) but smartphones almost exclusively use English as the language very few considered privacy and security when choosing to of choice, which may lead to uncertainty and misconceptions install smartphone applications on their devices. Only 39% of regarding security. The result could be attributed to the sample respondents habitually reviewed security messages before in- or the fact that the business language in South Africa is stalling new application with an even smaller number (18.7%) predominantly English – the relatively high purchase price of having reviewed licensing messages; however respondents that smartphone devices may limit the population to individuals of reviewed either message type were likely to review the other higher economic means, purely on affordability, which could type as well. A small minority (predominantly younger respon- imply that the same population has a good command of the dents) preferred pirated applications which were potentially English language. compromising their security. Although there were differences between adoption levels of F. Comparison with International Data smartphone security controls, specifically related to gender, there was not a satisfactory level of smartphone security Similar to [1] the South African sample did not display control adoption prevalent in the sample. good information security behaviour and could also be deemed From the research data it was not evident that home complacent as they place undue trust in official application language or culture influences user security awareness in a repositories, do not assess privacy and security implications significant way. when installing new applications, and do not adequately pro- tect themselves through adopting pre-installed security mech- TABLE IV anisms. Table IV provides a further comparison of these two CURRENT RESEARCH VS. [1] studies. It can be seen that this research sample appears similar in Item Current Research [1] Sample 619 458 age, with a better gender balance. The security knowledge and Age 18–30 (77.8%) 15–30 (81%) IT expertise of the current sample is less than [1]. Additionally, Gender (Male) 53.8% 70.1% there is less concern about privacy despite a similar amount of Information security training 7.4% 43.7% personal data on the smartphone. In addition there is a lesser IT expertise Good Excellent Concerned about privacy 83.8% 95.2% awareness of malicious smartphone software. Personal data on mobile phone 75.9% 75.8% A summary of the most significant findings – in order of Business data on mobile phone 30.2% 35.8% the research questions – conclude this section. Aware of malicious software 76.3% 81.4% V. CONCLUSION [14] H. Zafar and J. Clark, “Current state of information security research in IS,” Communications of the Association for Information Systems, vol. 24, This research shows that in a South African context users are no. 1, Jun. 2009. complacent in their smartphone security behaviours, display- [15] M. Fishbein and I. Ajzen, Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research. Reading, Mass: Addison-Wesley ing high levels of trust towards smartphone app repositories. Pub, Jun. 1975. Users rarely consider privacy and security when installing new [16] B. Bulgurcu, H. Cavusoglu, and I. Benbasat, “Information security applications and also do not adequately protect themselves policy compliance: An empirical study of rationality-based beliefs and information security awareness,” MIS Q., vol. 34, no. 3, p. 523548, Sep. by adopting smartphone protection mechanisms (controls). 2010. This research contributes to the existing body of knowledge [17] B. Lebek, J. Uffen, M. H. Breitner, M. Neumann, and B. Hohler, on smartphone security behaviour, adding knowledge from a “Employees’ information security awareness and behavior: A literature review,” in 2013 46th Hawaii International Conference on System developing country (South African) context. Sciences (HICSS), Jan. 2013, pp. 2978–2987. The research did not find any conclusive associations to [18] F. D. Davis, R. P. Bagozzi, and P. R. Warshaw, “User acceptance suggest that a users home language impacts their information of computer technology: A comparison of two theoretical models,” Management Science, vol. 35, no. 8, pp. 982–1003, Aug. 1989. security behaviour or trust. However, an association between [19] A. Al-Omari, O. El-Gayar, and A. Deokar, “Security policy compli- IT expertise and the adoption of smartphone security controls ance: User acceptance perspective,” in 2012 45th Hawaii International was found. Conference on System Science (HICSS), Jan. 2012, pp. 3317–3326. [20] T. Dorflinger, A. Voth, J. Kramer, and R. Fromm, “‘My smartphone is a Gender has shown unexpected relationships with security safe!’ The user’s point of view regarding novel authentication methods behaviour, which should be explored further. In addition and gradual security levels on smartphones,” in Proceedings of the 2010 the African continent, with its diverse set of languages and International Conference on Security and Cryptography (SECRYPT), Jul. 2010, pp. 1–10. ethnicities, provides an opportunity to study the influence of [21] M. Landman, “Managing smart phone security risks,” in 2010 Informa- culture on user behaviour and the adoption of smartphone tion Security Curriculum Development Conference, ser. InfoSecCD ’10. security controls. Future research should add rich qualitative New York, NY, USA: ACM, 2010, p. 145155. [22] R. Panko, Corporate Computer and Network Security, 2nd ed. Boston: data to answer deeper ‘why’ questions related to these issues. Prentice Hall, Jul. 2009. [23] M. Theoharidou, A. Mylonas, and D. Gritzalis, “A risk assessment REFERENCES method for smartphones,” in Information Security and Privacy Research, ser. IFIP Advances in Information and Communication Technology, [1] A. Mylonas, A. Kastania, and D. Gritzalis, “Delegate the smartphone D. Gritzalis, S. Furnell, and M. Theoharidou, Eds. Springer Berlin user? security awareness in smartphone platforms,” Computers & Secu- Heidelberg, Jan. 2012, no. 376, pp. 443–456. rity, vol. 34, pp. 47–66, May 2013. [24] D. Barrera and P. Van Oorschot, “Secure software installation on [2] E. Chin, A. P. Felt, V. Sekar, and D. Wagner, “Measuring user confidence smartphones,” IEEE Security Privacy, vol. 9, no. 3, pp. 42–48, May in smartphone security and privacy,” in Proceedings of the Eighth 2011. Symposium on Usable Privacy and Security, ser. SOUPS ’12. New [25] P. G. Kelley, L. F. Cranor, and N. Sadeh, “Privacy as part of the app York, NY, USA: ACM, 2012, p. 1:11:16. decision-making process,” in Proceedings of the SIGCHI Conference on [3] B. H. Jones and L. Heinrichs, “Do business students practice smartphone Human Factors in Computing Systems, ser. CHI ’13. New York, NY, security,” Journal of Computer Information Systems, vol. 53, no. 2, pp. USA: ACM, 2013, pp. 3393–3402. 22–30, 2012. [26] R. A. Botha, S. M. Furnell, and N. L. Clarke, “From desktop to mobile: [4] S. Mansfield-Devine, “Paranoid android: just how insecure is the most Examining the security experience,” Computers & Security, vol. 28, no. popular mobile platform?” Network Security, vol. 2012, no. 9, pp. 5–10, 34, pp. 130–137, May 2009. Sep. 2012. [27] S. Furnell, “Securing mobile devices: technology and attitude,” Network [5] J. M. Urban, C. J. Hoofnagle, and S. Li, “Mobile phones and privacy,” Security, vol. 2006, no. 8, pp. 9–13, Aug. 2006. Social Science Research Network, Rochester, NY, SSRN Scholarly [28] Y. Rezgui and A. Marks, “Information security awareness in higher Paper ID 2103405, Jul. 2012. education: An exploratory study,” Computers & Security, vol. 27, no. [6] S. Furnell and N. Clarke, “Power to the people? the evolving recognition 78, pp. 241–253, Dec. 2008. of human aspects of security,” Computers & Security, vol. 31, no. 8, pp. [29] T. Mochiko, “BlackBerry and nokia dominate local smartphone market.” 983–988, Nov. 2012. [Online]. Available: http://www.bdlive.co.za/business/technology/2012/ [7] E. Albrechtsen and J. Hovden, “The information security digital divide 08/14/blackberry-and-nokia-dominate-local-smartphone-market between information security managers and users,” Computers & Secu- rity, vol. 28, no. 6, pp. 476–490, Sep. 2009. [8] C. Colwill, “Human factors in information security: The insider threat who can you trust these days?” Information Security Technical Report, vol. 14, no. 4, pp. 186–196, Nov. 2009. [9] D.-L. Huang, P.-L. Patrick Rau, G. Salvendy, F. Gao, and J. Zhou, “Factors affecting perception of information security and their impacts on IT adoption and security practices,” International Journal of Human- Computer Studies, vol. 69, no. 12, pp. 870–883, Dec. 2011. [10] R. S. Shaw, C. C. Chen, A. L. Harris, and H.-J. Huang, “The impact of information richness on information security awareness training effectiveness,” Comput. Educ., vol. 52, no. 1, p. 92100, Jan. 2009. [11] R. Kissel, “Glossary of key information security terms,” National Insti- tute of Standards and Technology, Tech. Rep. NISTIR 7298 Revision 2, 2013. [12] J. Luftman and H. S. Zadeh, “Key information technology and man- agement issues 201011: an international study,” Journal of Information Technology, vol. 26, no. 3, pp. 193–204, Sep. 2011. [13] U. Sumita and J. Yoshii, “Enhancement of e-commerce via mobile ac- cesses to the internet,” Electronic Commerce Research and Applications, vol. 9, no. 3, pp. 217–227, May 2010.